File filtering

Applies to: Forefront Security for Exchange Server

Topic Last Modified: 2008-06-03

The Forefront Security for Exchange Server file filter feature gives you the ability to search for attachments with a specific name, type, and size within an e-mail message. If a match is found, the file filter can be configured to perform actions on the attachment such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within e-mail messages and other Outlook items, including Tasks and Schedules (such as meetings and appointments).

In the Shuttle Navigator click FILTERING, and then click the File icon. The File Filtering pane appears.

In the upper work pane, select the scan job for which you would like to create the file filter.

To detect file files with a particular file name, add the file name to the File Names section of the work pane. Click the Add button and type the name of the file to be detected. (There are also buttons with which to Edit and Delete existing entries.) Use the up and down arrows (on the same line with File Names) to change the order in which a selected filter is executed.

Optionally, the file filter can be configured to filter files based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). These are placed immediately after the file name, with no spaces between the file name and the operator or the operator and the file size. File sizes must be entered using the English size keywords KB (for kilobytes), MB (for megabytes), and GB (for gigabytes). The General Options setting Max Container File Size specifies the maximum container file size (in bytes) that FSE will attempt to clean or repair in the event that it discovers an infected file.

Examples:

*.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes

*.com>150KB all .com files larger than 150 kilobytes

*>5GB all files larger than 5 gigabytes

Specify the list of file types that can be associated to the selected file name. You can select one or more file types from the list or select All Types located below the list. If the file type you want to associate to the selected file name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see File types list.)

The All Types selection configures Forefront Security for Exchange Server to filter based only on the file name and file extension. By selecting All Types, Forefront Security for Exchange Server is configured to detect the selected file name no matter what the file type. This prevents the potential of users bypassing the filter by simply changing the extension of a file.

If you know the file type you are searching for, Forefront Security for Exchange Server will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, create the filter * and set the file type to EXE.

Ensure that the File Filter is set to Enabled. It is enabled by default.

Indicate the Action to take if there is a filter match.

Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). It is disabled by default.

Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text.

Note:

Forefront Security for Exchange Server provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about keywords, see Keyword substitution macros.

If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type you want to filter.

For example: Create the filter * and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension.

One advantage of setting a generic * filter and associating it with a certain file type (for example, EXE) is that it prevents the potential of users bypassing the filter by simply changing the extension of a file.

Note:

If you want to filter Office 2003 and older Microsoft Excel® files, you will need to enter *.xls or * in the File Name box and then select both WINEXCEL and DOCFILE in the File Type list. Excel 1.x files are WINEXCEL type files but newer versions of Excel are DOCFILE file types.
For Office 2007 documents (Word, Excel, and PowerPoint) you should use the proper file extension in the File Name box and then select “OPENXML” in the File Types list.

If you want to filter any file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.

Important:

When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter.

Note:

Microsoft recommends avoiding the use of the generic filter * with the File Types set to All Types. This filter configuration could result in the reporting of repeated detections.

If you want to filter all files with a certain name, you can create a filter using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc will be filtered no matter what the file type.

Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it. A perfect example of this was the Melissa worm. It resided in a file named List.doc and could have been detected by Forefront Security for Exchange Server using a file filter even before virus scanners could detect it.

Choose the action that you want Forefront Security for Exchange Server to perform when a file filter is matched. By default, it is set to Delete: remove contents.

Note:

You must set the action for each file filter you configure. The Action setting is not global.

Skip: detect only

Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.

Delete: remove contents

Deletes the file attachment. The detected file attachment is removed from the message and the Deletion Text is inserted in its place.

Purge: eliminate message

Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

Note:

If the Quarantine Files box is selected, however, purged messages will be quarantined and can then be recovered from the Quarantine database.

Identify: tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Forefront Server Security Administrator. This tag can be modified by clicking the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job. This action is only available for the Transport Scan Job. For more information about Tag Text, see "Configuring the Transport Scan Job" in Transport Scan Job.

In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering pane appears.

In the upper work pane, select the scan job for which you would like to modify the file filter.

Make the required changes to the various fields. The changes apply to the selected scan job.

Click Save to save your filter changes.

Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes.

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters:

*

Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage:

Single: Any of these single wildcard character patterns would detect veryevil.doc:

veryevil.*, very*.doc, very*, *il.doc.

Multiple: Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*.

Note:

Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.*

?

Used to match any single character in a name where a single character may change. For example:

virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. However, this filter would not catch virus.exe.

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. For example:

klez[a-h].exe would find kleza.exe through klezh.exe.

[^set]

Used to exclude characters that you know are not used in the file name. For example:

klez[^m-z].exe would not find klezm.exe through klezz.exe.

[range]

Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example:

klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe.

\char

Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example:

If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

When using the file filter in conjunction with the Transport Scan Job, you can configure a filter so that it only checks inbound or outbound messages. This is accomplished by adding an <in> or <out> prefix to the file name when entering it in the File Names work pane:

(For information about the inbound, outbound, and internal designations, see Transport Scan Job.)

Note:

There are no spaces between the prefix and the file name.

Note:

The prefixes <in> (for inbound messages) and <out> (for outbound messages), must be entered in English.

Container files can be broadly described as complex files that can be broken down into various parts. Forefront Security for Exchange Server can scan the following container files for filter matches:

PKZip (.zip)

GNU Zip (.gzip)

Self-Extracting .zip archives

Zip files (.zip)

Java archive (.jar)

TNEF (Winmail.dat)

Structured storage (for example, .doc, .xls, or .ppt)

Open XML (for example, .docx, .xlsx, or .pptx)

MIME (.eml)

SMIME (.eml)

UUENCODE (.uue)

Unix tape archive (.tar)

RAR archive (.rar)

MACBinary (.bin)

Forefront Security for Exchange Server scans all parts of the container file and re-packs the file as necessary. For example, if you configure a file filter to delete all .exe files, Forefront Security for Exchange Server deletes .exe files inside container files (replacing them with the Deletion Text) but leaves all other files in the container intact.

Note:

Forefront Security for Exchange Server cannot scan password protected files or encrypted files. Although FSS does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.

To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list and set the action to Skip. Ordering of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, its contents are not scanned by the file filters. The file is, however, scanned for viruses. If you would like to skip all .zip files, create the filter: *.zip and set the action to Skip.

Note:

By default, this functionality only applies to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry values:
Realtime Scan Job SkipFileFilterWithinCompressedRealtime
Manual Scan Job SkipFileFilterWithinCompressedManual
Transport Scan Job SkipFileFilterWithinCompressedInternet
For the location of these registry keys, see Registry keys. After creating each registry value, it should be set to 1 to enable file filtering in the specified archive types.

Note:

OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.

You can use file filters to block some file types and permit others. The files permitted through in this example are Office files, which tend to be safer than other kinds. It takes two file filters for this to work properly.

Note:

Be sure that file filter 1 is created before file filter 2, as the filters are applied, in order, from top to bottom.

First, create a file filter to permit Office files through. For this example, we will call it File Filter 1.

To create File Filter 1

In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears.

Create a new file filter by following these steps:

Click Add.

Type <in>* as the file name and press Enter.

Clear All Types in the File Types section.

Click Yes to confirm.

Select the DOC, OPENXML, TNEF file types. (TNEF is required since it is the wrapper around file attachments for internal mail.)

Set the Action to Skip: detect only.

Clear Quarantine Files.

Save the filter.

Next, create a filter to block all files. We will call it File Filter 2. As long as you have created File Filter 1 first, Office files are permitted and all other files are blocked.

To create File Filter 2

In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears.

Create a new file filter by following these steps:

Click Add.

Type * as the file name and press Enter.

Ensure that All Types is selected in the File Types section.

Set the action to Block or Purge, as desired.

Select Quarantine Files.

Select Send Notifications.

Save the filter.

Note:

It is important to realize that the Skip: detect only action in the first filter generates an Incident Log entry for almost every attachment received. Also, TNEF is used for all internal Exchange e-mail, so if you create these filters on a Hub server (Exchange Server 2007 only), you will generate an event for every email. That can quickly overwhelm your server and inflate your Incident Log to an unmanageable size. You can ease this problem by making sure the file name of the first rule is "<in>*". Thus, the rule would only be invoked for inbound email, although a lot of events are still generated. Also, if you select Quarantine Files in the second Filter, you will likely get a lot of quarantined files.

As well as creating individual file filters, you can create lists of them to have collections of filters for use by different scan jobs or simply to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.

In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon.

In the List Types pane, select Files.

In the List Names section, click the Add button.

Type a name for the new list and then press Enter. The empty list appears in the List Names section.

With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add file names to the list.

In the Include In Filter section, click the Add button.

Type a file name to be included in the filter list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single file filters.

The Exclude From Filter section is used to enter file names that should never be included on the file filter list. This prevents those file names from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.

When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names.

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that Forefront Security for Exchange Server can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.

To create and import entries into a filter list

Create a list and save it as a text file. Place each filter on its own line in the file.

In the FILTERING section of the Shuttle Navigator, click Filter Lists.

Select the filter list into which you will be importing data.

Click Edit. The Edit Filter List dialog box appears.

Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1.

Select the file and click Open.

The file is imported into the middle pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

Filter set templates can be created for use with any Forefront Security for Exchange Server scan job. A single filter set template can be associated with any or all of the scan jobs and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see "Filter Set Templates" in Content filtering.

Support for file filtering by name in Forefront Security for Exchange Server extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.

The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and thus cause the message in which they reside to be purged. These counters can also be found in the Windows Performance snap-in.